[pass] [PATCH] Allow custom subcommands - web of trust

[Sylvain Viart]

Le 07/10/2016 à 09:41, Brian Candler a écrit :
>
> I can't see any way in which adding plugin signatures to pass itself
> is helpful. How are you going to choose which signatures to trust?
> Either pass is hard-coded with a list of trusted plugin authors, or
> you have to add the author keys too. In which case this is no better
> than either of the previous options. 


My message was to introduce signing for trust. It happens effectively
somewhat in .deb packages (it could be other examples of course).

Web of trust, is a way to delegate trust to other people in whom you
trust, as far as I know. It was introduced long time ago in GPG, for
example. You need to meet the person physically to fully trust his/her key.

So by following the links of trusted signatures you may, or may not,
arrive to trust a plugin using your own keyring.

I don't know if it is needed here for pass, but the subject has been
mentioned earlier in the link I posted. May be not on that form, but as
more and more really good plugin arrive it could be interesting to think
about that.

The custom subcommands is really pleasing concept, and I was thinking
loud how, and if, it needs to be achieved by signing custom scripts.

I'm also interested of how a "community trust" of signed keys could
behave, as it's also developed in free money software
<https://en.duniter.org/>.

Regards,
Sylvain.

-- 
Sylvain Viart - DevOps système linux - freelance developer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20161007/4a6550f3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20161007/4a6550f3/attachment.asc>